Trustwave – Man in the middle Certificate

Certificate authority Trustwave issued a certificate to a company allowing it to issue valid certificates for any server. This enabled the company to listen in on encrypted traffic sent and received by its staff using services such as Google and Hotmail. Trustwave has since revoked the CA certificate and vowed to refrain from issuing such certificates in future.

According to Trustwave, the CA certificate was used in a data loss prevention (DLP) system, intended to prevent confidential information such as company secrets from escaping. The DLP system monitored encrypted connections by acting as a man-in-the-middle, meaning that it tapped into the connection and fooled the browser or email client into thinking it was communicating with the intended server. To prevent certificate errors, the DLP system needed to be able to produce a valid certificate for each connection – the Trustwave CA certificate enabled it to issue such certificates itself. The same principle is utilised by espionage attacks and government monitoring activities.

The usual procedure for legitimate data loss prevention is for administrators to set up an internal certificate authority which, in consultation with staff and management representatives, is then installed on work devices. Such a system is not, however, able to offer protection where staff are using personal devices which do not belong to the company.

Image via Wikipedia

Trustwave is keen to point out that the company to which the certificate was issued had signed a usage agreement and both the secret CA key and the fake certificates generated using it were securely stored in a specially tested hardware security module (HSM). According to Trustwave, this meant that it was impossible to misuse the certificate for nefarious purposes. The company has nonetheless decided that it will not be pursuing this business avenue in future. The certificate has been revoked and Trustwave says that it will not be issuing any further certificates of this nature.

Security experts and privacy advocates have been warning for a while that any CA and any sub-CA authorised by it are able to issue certificates for any server. This is a cause of particular concern in the case of some government CAs, where there is every likelihood that they could assist with monitoring activities. This is the first case that we are aware of where a respectable certificate authority has enabled third parties to issue arbitrary SSL server certificates for monitoring purposes. Trustwave claims, however, that this is common practice among other root CAs.

Mozilla considers removing Trustwave CA:

Scandalised by the snooping certificate issued by Trustwave, a heise Security reader, Sebastian Wiesinger, has submitted a report to Mozilla’s bug database in which he requests that Trustwave’s root certificates be removed from all Mozilla products. Mozilla’s Kathleen Wilson, who handles the issue, has accepted the submission and requested a statement from Trustwave. Trustwave’s Brian Trzupek has already announced the release of further information which, he says, is still waiting for internal approval.

Yesterday, The H’s associates at heise Security reported on the first publicly known case in which a widely accepted Certificate Authority sold a root certificate for surveillance purposes. Although Trustwave has said that the case was a one-off, that any misuse was impossible and that the certificate in question has since been revoked, critics think that the issuer has violated the Mozilla CA Certificate Policy. Among other things, this policy states that CAs must not knowingly issue certificates without the knowledge of the entities whose information is referenced in the certificates.

Interestingly, Trustwave also said that its actions are common practice with many CAs. Symantec, who purchased the biggest Certificate Authority, VeriSign, and is one of the major suppliers of Data Loss Prevention products, has so far not responded to questions on this subject that were asked before the article was published yesterday.